From: Greg Kroah-Hartman Date: Sat, 30 Mar 2019 10:16:36 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.138~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=47917a08feb952d280e3a100bbf3b08a9c46c91a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: fs-open.c-allow-opening-only-regular-files-during-execve.patch scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch --- diff --git a/queue-4.9/fs-open.c-allow-opening-only-regular-files-during-execve.patch b/queue-4.9/fs-open.c-allow-opening-only-regular-files-during-execve.patch new file mode 100644 index 00000000000..bae0a53720c --- /dev/null +++ b/queue-4.9/fs-open.c-allow-opening-only-regular-files-during-execve.patch @@ -0,0 +1,60 @@ +From 73601ea5b7b18eb234219ae2adf77530f389da79 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 28 Mar 2019 20:43:30 -0700 +Subject: fs/open.c: allow opening only regular files during execve() + +From: Tetsuo Handa + +commit 73601ea5b7b18eb234219ae2adf77530f389da79 upstream. + +syzbot is hitting lockdep warning [1] due to trying to open a fifo +during an execve() operation. But we don't need to open non regular +files during an execve() operation, for all files which we will need are +the executable file itself and the interpreter programs like /bin/sh and +ld-linux.so.2 . + +Since the manpage for execve(2) says that execve() returns EACCES when +the file or a script interpreter is not a regular file, and the manpage +for uselib(2) says that uselib() can return EACCES, and we use +FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non +regular file is requested with FMODE_EXEC set. + +Since this deadlock followed by khungtaskd warnings is trivially +reproducible by a local unprivileged user, and syzbot's frequent crash +due to this deadlock defers finding other bugs, let's workaround this +deadlock until we get a chance to find a better solution. + +[1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578ce + +Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Reported-by: syzbot +Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()") +Signed-off-by: Tetsuo Handa +Acked-by: Kees Cook +Cc: Al Viro +Cc: Eric Biggers +Cc: Dmitry Vyukov +Cc: [4.9+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/open.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/open.c ++++ b/fs/open.c +@@ -717,6 +717,12 @@ static int do_dentry_open(struct file *f + return 0; + } + ++ /* Any file opened for execve()/uselib() has to be a regular file. */ ++ if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { ++ error = -EACCES; ++ goto cleanup_file; ++ } ++ + if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { + error = get_write_access(inode); + if (unlikely(error)) diff --git a/queue-4.9/scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch b/queue-4.9/scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch new file mode 100644 index 00000000000..49bfbb663a0 --- /dev/null +++ b/queue-4.9/scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch @@ -0,0 +1,81 @@ +From c14a57264399efd39514a2329c591a4b954246d8 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 25 Mar 2019 10:01:46 -0700 +Subject: scsi: sd: Fix a race between closing an sd device and sd I/O + +From: Bart Van Assche + +commit c14a57264399efd39514a2329c591a4b954246d8 upstream. + +The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and +hence needs the disk->private_data pointer. Avoid that that pointer is +cleared before all affected I/O requests have finished. This patch avoids +that the following crash occurs: + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 +Call trace: + scsi_mq_uninit_cmd+0x1c/0x30 + scsi_end_request+0x7c/0x1b8 + scsi_io_completion+0x464/0x668 + scsi_finish_command+0xbc/0x160 + scsi_eh_flush_done_q+0x10c/0x170 + sas_scsi_recover_host+0x84c/0xa98 [libsas] + scsi_error_handler+0x140/0x5b0 + kthread+0x100/0x12c + ret_from_fork+0x10/0x18 + +Cc: Christoph Hellwig +Cc: Ming Lei +Cc: Hannes Reinecke +Cc: Johannes Thumshirn +Cc: Jason Yan +Cc: +Signed-off-by: Bart Van Assche +Reported-by: Jason Yan +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -1284,11 +1284,6 @@ static void sd_release(struct gendisk *d + scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); + } + +- /* +- * XXX and what if there are packets in flight and this close() +- * XXX is followed by a "rmmod sd_mod"? +- */ +- + scsi_disk_put(sdkp); + } + +@@ -3257,11 +3252,23 @@ static void scsi_disk_release(struct dev + { + struct scsi_disk *sdkp = to_scsi_disk(dev); + struct gendisk *disk = sdkp->disk; +- ++ struct request_queue *q = disk->queue; ++ + spin_lock(&sd_index_lock); + ida_remove(&sd_index_ida, sdkp->index); + spin_unlock(&sd_index_lock); + ++ /* ++ * Wait until all requests that are in progress have completed. ++ * This is necessary to avoid that e.g. scsi_end_request() crashes ++ * due to clearing the disk->private_data pointer. Wait from inside ++ * scsi_disk_release() instead of from sd_release() to avoid that ++ * freezing and unfreezing the request queue affects user space I/O ++ * in case multiple processes open a /dev/sd... node concurrently. ++ */ ++ blk_mq_freeze_queue(q); ++ blk_mq_unfreeze_queue(q); ++ + disk->private_data = NULL; + put_disk(disk); + put_device(&sdkp->device->sdev_gendev); diff --git a/queue-4.9/scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch b/queue-4.9/scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch new file mode 100644 index 00000000000..7677b341c7c --- /dev/null +++ b/queue-4.9/scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch @@ -0,0 +1,44 @@ +From 1d5de5bd311be7cd54f02f7cd164f0349a75c876 Mon Sep 17 00:00:00 2001 +From: "Martin K. Petersen" +Date: Wed, 27 Mar 2019 12:11:52 -0400 +Subject: scsi: sd: Quiesce warning if device does not report optimal I/O size + +From: Martin K. Petersen + +commit 1d5de5bd311be7cd54f02f7cd164f0349a75c876 upstream. + +Commit a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple +of physical block size") split one conditional into several separate +statements in an effort to provide more accurate warning messages when +a device reports a nonsensical value. However, this reorganization +accidentally dropped the precondition of the reported value being +larger than zero. This lead to a warning getting emitted on devices +that do not report an optimal I/O size at all. + +Remain silent if a device does not report an optimal I/O size. + +Fixes: a83da8a4509d ("scsi: sd: Optimal I/O size should be a multiple of physical block size") +Cc: Randy Dunlap +Cc: +Reported-by: Hussam Al-Tayeb +Tested-by: Hussam Al-Tayeb +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2841,6 +2841,9 @@ static bool sd_validate_opt_xfer_size(st + unsigned int opt_xfer_bytes = + logical_to_bytes(sdp, sdkp->opt_xfer_blocks); + ++ if (sdkp->opt_xfer_blocks == 0) ++ return false; ++ + if (sdkp->opt_xfer_blocks > dev_max) { + sd_first_printk(KERN_WARNING, sdkp, + "Optimal transfer size %u logical blocks " \ diff --git a/queue-4.9/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch b/queue-4.9/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch new file mode 100644 index 00000000000..1b1a17189c2 --- /dev/null +++ b/queue-4.9/scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch @@ -0,0 +1,83 @@ +From fe67888fc007a76b81e37da23ce5bd8fb95890b0 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 26 Mar 2019 14:36:58 +0100 +Subject: scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host + +From: Steffen Maier + +commit fe67888fc007a76b81e37da23ce5bd8fb95890b0 upstream. + +An already deleted SCSI device can exist on the Scsi_Host and remain there +because something still holds a reference. A new SCSI device with the same +H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created. When +we try to unblock an rport, we still find the deleted SCSI device and +return early because the zfcp_scsi_dev of that SCSI device is not +ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if +the new proper SCSI device would be in good state. + +Therefore, skip deleted SCSI devices when iterating the sdevs of the shost. +[cf. __scsi_device_lookup{_by_target}() or scsi_device_get()] + +The following abbreviated trace sequence can indicate such problem: + +Area : REC +Tag : ersfs_3 +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x40000000 not ZFCP_STATUS_COMMON_UNBLOCKED +Ready count : n not incremented yet +Running count : 0x00000000 +ERP want : 0x01 +ERP need : 0xc1 ZFCP_ERP_ACTION_NONE + +Area : REC +Tag : ersfs_3 +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x41000000 +Ready count : n+1 +Running count : 0x00000000 +ERP want : 0x01 +ERP need : 0x01 + +... + +Area : REC +Level : 4 only with increased trace level +Tag : ertru_l +LUN : 0x4045400300000000 +WWPN : 0x50050763031bd327 +LUN status : 0x40000000 +Request ID : 0x0000000000000000 +ERP status : 0x01800000 +ERP step : 0x1000 +ERP action : 0x01 +ERP count : 0x00 + +NOT followed by a trace record with tag "scpaddy" +for WWPN 0x50050763031bd327. + +Signed-off-by: Steffen Maier +Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") +Cc: #2.6.32+ +Reviewed-by: Jens Remus +Reviewed-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_erp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -1306,6 +1306,9 @@ static void zfcp_erp_try_rport_unblock(s + struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); + int lun_status; + ++ if (sdev->sdev_state == SDEV_DEL || ++ sdev->sdev_state == SDEV_CANCEL) ++ continue; + if (zsdev->port != port) + continue; + /* LUN under port of interest */ diff --git a/queue-4.9/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch b/queue-4.9/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch new file mode 100644 index 00000000000..3359d184c98 --- /dev/null +++ b/queue-4.9/scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch @@ -0,0 +1,94 @@ +From 242ec1455151267fe35a0834aa9038e4c4670884 Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 26 Mar 2019 14:36:59 +0100 +Subject: scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices + +From: Steffen Maier + +commit 242ec1455151267fe35a0834aa9038e4c4670884 upstream. + +Suppose more than one non-NPIV FCP device is active on the same channel. +Send I/O to storage and have some of the pending I/O run into a SCSI +command timeout, e.g. due to bit errors on the fibre. Now the error +situation stops. However, we saw FCP requests continue to timeout in the +channel. The abort will be successful, but the subsequent TUR fails. +Scsi_eh starts. The LUN reset fails. The target reset fails. The host +reset only did an FCP device recovery. However, for non-NPIV FCP devices, +this does not close and reopen ports on the SAN-side if other non-NPIV FCP +device(s) share the same open ports. + +In order to resolve the continuing FCP request timeouts, we need to +explicitly close and reopen ports on the SAN-side. + +This was missing since the beginning of zfcp in v2.6.0 history commit +ea127f975424 ("[PATCH] s390 (7/7): zfcp host adapter."). + +Note: The FSF requests for forced port reopen could run into FSF request +timeouts due to other reasons. This would trigger an internal FCP device +recovery. Pending forced port reopen recoveries would get dismissed. So +some ports might not get fully reopened during this host reset handler. +However, subsequent I/O would trigger the above described escalation and +eventually all ports would be forced reopen to resolve any continuing FCP +request timeouts due to earlier bit errors. + +Signed-off-by: Steffen Maier +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: #3.0+ +Reviewed-by: Jens Remus +Reviewed-by: Benjamin Block +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/scsi/zfcp_erp.c | 14 ++++++++++++++ + drivers/s390/scsi/zfcp_ext.h | 2 ++ + drivers/s390/scsi/zfcp_scsi.c | 4 ++++ + 3 files changed, 20 insertions(+) + +--- a/drivers/s390/scsi/zfcp_erp.c ++++ b/drivers/s390/scsi/zfcp_erp.c +@@ -652,6 +652,20 @@ static void zfcp_erp_strategy_memwait(st + add_timer(&erp_action->timer); + } + ++void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag) ++{ ++ unsigned long flags; ++ struct zfcp_port *port; ++ ++ write_lock_irqsave(&adapter->erp_lock, flags); ++ read_lock(&adapter->port_list_lock); ++ list_for_each_entry(port, &adapter->port_list, list) ++ _zfcp_erp_port_forced_reopen(port, clear, dbftag); ++ read_unlock(&adapter->port_list_lock); ++ write_unlock_irqrestore(&adapter->erp_lock, flags); ++} ++ + static void _zfcp_erp_port_reopen_all(struct zfcp_adapter *adapter, + int clear, char *id) + { +--- a/drivers/s390/scsi/zfcp_ext.h ++++ b/drivers/s390/scsi/zfcp_ext.h +@@ -68,6 +68,8 @@ extern void zfcp_erp_clear_port_status(s + extern int zfcp_erp_port_reopen(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_shutdown(struct zfcp_port *, int, char *); + extern void zfcp_erp_port_forced_reopen(struct zfcp_port *, int, char *); ++extern void zfcp_erp_port_forced_reopen_all(struct zfcp_adapter *adapter, ++ int clear, char *dbftag); + extern void zfcp_erp_set_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_clear_lun_status(struct scsi_device *, u32); + extern void zfcp_erp_lun_reopen(struct scsi_device *, int, char *); +--- a/drivers/s390/scsi/zfcp_scsi.c ++++ b/drivers/s390/scsi/zfcp_scsi.c +@@ -326,6 +326,10 @@ static int zfcp_scsi_eh_host_reset_handl + struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; + int ret = SUCCESS, fc_ret; + ++ if (!(adapter->connection_features & FSF_FEATURE_NPIV_MODE)) { ++ zfcp_erp_port_forced_reopen_all(adapter, 0, "schrh_p"); ++ zfcp_erp_wait(adapter); ++ } + zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); + zfcp_erp_wait(adapter); + fc_ret = fc_block_scsi_eh(scpnt); diff --git a/queue-4.9/series b/queue-4.9/series index 7bc18bfe319..cdd8323c15f 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -24,3 +24,8 @@ alsa-rawmidi-fix-potential-spectre-v1-vulnerability.patch alsa-seq-oss-fix-spectre-v1-vulnerability.patch alsa-pcm-fix-possible-oob-access-in-pcm-oss-plugins.patch alsa-pcm-don-t-suspend-stream-in-unrecoverable-pcm-state.patch +fs-open.c-allow-opening-only-regular-files-during-execve.patch +scsi-sd-fix-a-race-between-closing-an-sd-device-and-sd-i-o.patch +scsi-sd-quiesce-warning-if-device-does-not-report-optimal-i-o-size.patch +scsi-zfcp-fix-rport-unblock-if-deleted-scsi-devices-on-scsi_host.patch +scsi-zfcp-fix-scsi_eh-host-reset-with-port_forced-erp-for-non-npiv-fcp-devices.patch